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The  open  age  started  with  Linux.  Next  came  Android.  Tlien.  RackstDdce  ana  r.ina  .  in  .. 
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of  any  one  vendor.  You're  free  to  run  your  cloud  anywhere  you  want:  in  your  data  center, 
in  ours,  or  with  any  other  OpenStack  provider— and  the  response  has  been  overwhelming. 
More  than  800  organizations  and  6,000  individuals  are  collaborating  on  OpenStack,  This 
IS  greater  than  one  company.  It's  a  movement. 
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DataDeluge  .4*^% 

18  storage  demands  are  reaching  a  critical  point,  2*  IT  staffers  at  all  levels 

and  vendors  are  scrambling  to  develop  products  to 
deal  with  all  the  data  that's  swamping  enterprises, 
we  look  at  how  these  technologies  will  help  storage 
administrators  manage  their  major  pain  points. 


Straight  Talk  on  Security 

30  Sure,  you  want  users  to  comply  with  security  edicts,  but  would  you  phish  your  own  employees 
or  share  your  company's  hack  history?  At  least  some  CIOs  say  yes. 


GOVERNMENT  IT 


Emerging  Tech  Keeps  Cities  Running 


DN.  residents  are  using  city- 

I  provided  apps  to  improve  municipal 
operations,  that  city's  CIO,  Bill  Oates,  told 


Las  Vegas.  And  one  of  the  city’s  newest  mobile 
apps.  Street  Bump,  piqued  the  interest  of  one 
of  Oates'  fellow  pubic  servants,  Gary  Gilot,  an 

engineer  who  heads  the  public  works  board  in 


Street  Bump  uses  a  smartphone's  acceler¬ 
ometer  to  recoid  road  conditions  and  then 
sends  the  dau  to  the  city.  It  has  already  helped 
utilities  do  a  better  job  of  keeping  the  tops 
of  manhole  covets  even  with  the  surhices  of 
roads,  Oates  said. 

The  app  is  part  of  Boston's  Citizens  Connect 
system,  which  allows  residents  to  report 
ptobletns  such  as  trash,  broken  streetlights  or 
graffiti  to  city  officials. 


Now  going  on  Version  4.0,  the  Citizens 
Connect  program  is  set  to  be  deployed  state¬ 
wide,  initially  in  more  than  50  communities. 

Gilot  said  he  was  impressed  by  Street 
Bump’s  use  of  crowdsourcing  as  a  way  to 
amass  data  about  road  conditions.  “I  love  the 
idea  of  the  future  —  that  you  can  avoid  the 
expense  by  crowdsourcing,”  he  said. 

South  Bend  has  taken  some  low-tech  ap¬ 
proaches  to  that  problem.  It  once  had  city 
supervisors  drive  every  street  in 
town  to  rate  road  conditions. 

However,  South  Bend  has  gone 
high  tech  in  other  areas.  The  city 
worked  with  IBM  to  create  a  wireless  sensor 
network  that  detects  changes  in  sewer  flow 
and  alerts  the  city  to  problems.  The  system  has 
reduced  overflows  atul  backups,  Gilot  said. 

-  Hitrick  Thibodeau 


in  bachelor's  degrees  awarded  in 
computer  science  hit  double  digits. 
In  U.S.  computer  science  depart¬ 
ments.  the  vear-over-year  increases 
were  19.8%  overall  and  16.5% 
among  those  departments  that  par¬ 
ticipated  in  the  survey  this  year  and 
last  year,  according  to  the  CRA. 

Computer  science  enrollment 
trends  “are  somewhat  cyclical 
based  on  the  perceived  strength  of 
the  IT  sector."  said  Peter  Marsha, 
the  CRA's  director  of  government 
affairs. 

He  noted  that  CRA  members  have 
speculated  that 


to  the  fact  that 
“students  are  much  more  aware  of 
the  importance  of  computational 
thinking  in  just  about  every  other 
field  of  science  and  technology." 
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How  InterSystems  invented  a  database  system 
for  developers  who  question  relational  databases. 


TheSecretlsGlobals.com 


InierSysiems 


HEADS  UP 


WORK/LIFE 


BALANCED. 


BlackBerry'  Balance™ 

The  best  of  both  worlds  to  keep  your  business  moving. 

BlackBerry  ■  Balance™  gives  employees  the  freedom  and  privacy  they  want 
while  delivering  a  Work  Space  that  is  fully  encrypted,  managed  and  secured, 
so  you  can  protect  critical  corporate  data  and  apps.  It’s  the  perfect  work-life 
balance,  built  into  every  BlackBerry®  10  smartphone  and  managed  through 
BlackBerry®  Enterprise  Service  10, 

Get  the  full  story  and  a  free  60-day  BlackBerry  Enterprise  Service  10 
trial*  at  blackberry.com/business 
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Book  Stirs  Debate 
On  Women  in  IT 

Facebook’s  COO  helps  draw  attention  to  the 
continuing  decline  in  the  number  of  female  tech 
workers  in  the  U.S.  By  Patrick  Thibodeau 


cized  for  painting  women  as  victims.” 

Kim  Stevenson,  vice  president  and 
CiO  at  Intel,  one  of  24  female  CIOs  in 
Fortune  100  companies,  said  her  company’s  success 
in  increasing  the  number  of  female  employees  in 
mid'  to  senior-level  technical  jobs  since  2004  isn’t  a 
fluke.  Stevenson  noted  that  Intel  offers  mentoring 
programs  and  opportunities  for  network-building  for 
women  —  activities  that  Sandberg  champions.  The 
Women  at  Intel  Network  has  22  chapters. 

Stevenson  doesn’t  share  Sandberg’s  view  that 
progress  for  women  has  stalled,  though  she  agrees 
that  more  can  be  done. 

Kathy  Harris,  managing  directcv  of  Harris  Allied, 
an  executive  recruiting  firm  specializing  in  technol¬ 
ogy.  suggested  that  women  in  IT  create  professional 
. . . .  support  networks. 

“In  pure  technology  departments,  men  still  out¬ 
number  women  by  as  much  as  nine  to  one.  The  sole  woman  in  a 
predominantly  male  team  often  feels  a  sense  of  isolation,”  she  said. 

Karie  Willyerd,  vice  president  of  learning  and  social  adoption 
at  SAP,  said  that  unflattering  stereotypes,  like  the  depictions  of 
engineers  in  the  popular  comic  strip  Dilbert,  may  have  discour¬ 
aged  young  girls  from  thinking  about  IT  careers.  But  recent  moves 
by  building  block  maka-  Lego  and  other  companies  to  create 
products  aimed  at  exposing  young  girls  to  engineering  could  begin 
to  change  the  cultural  message,  she  added. 

Paula  Hunter,  executive  director  of  the  nonprofit  Outercurve 
Foundation,  which  offers  a  forum  for 
open-source  and  commercial  soft¬ 
ware  develc4)ers  to  come  together. 


In  pure  technology 
departments,  men 

still  outnumber  women  by 


Twice  the  virtualization. 

Lower  management  costs.) 

None  of  the  compromises. 

You’ve  been  looking  for  IT  solutions  that  meet  the  Increasingly  sophisticated  demands 
on  your  infrastructure.  IBM  Flex  System,”  featuring  Intel®  Xeon®  processors,  provides 
simplicity,  flexibility  and  control  in  a  system  that  doesn’t  require  compromise. 

It  supports  up  to  twice  the  number  of  virtual  machines  as  the  previous  generation  of 
blade  servers.'  And  IBM  Flex  System  Manager’"  can  help  reduce  management  costs 
by  providing  visibility  and  controi  of  all  physical  and  virtual  assets  from  a  single  vantage 
point.2 

You  can  select  individual  elements  and  integrate  them  yourself  or  with  the  support 
of  an  IBM  Business  Partner.  Or  you  can  choose  an  IBM  PureFlex”  System  and 
leverage  IBM’s  expert  integration  for  an  even  simpler  experience.  Learn  more  at 
ibm.com/systems/no_compromlse 
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Cloud  Computings 
Big  Debt  to  NASA 

Large  enterprises  are  betting  big  on  the  OpenStack 
cloud  platform,  which  is  deeply  rooted  in  the  space 
agency’s  ingenuity.  By  Patrick  Thibodeau 


IBM'S  DECISION  to  base  its  cloud  services  on  O^nStack 
may  prove  to  be  a  key  to  establishing  the  Bedgling  con¬ 
source  platform  as  t^  enterprise  standard. 

The  announcement  earlier  this  month  follows  similar 
moves  by  rival  enterprise  IT  vendors  Hewlett-Packard,  Dell, 
Cisco.  Red  Hat  and  Rackspace,  whose  products  ate  used  by  many 
Fortune  ICXH)  companies. 

That  rapid  rise  of  the  three-year-old  technology  may  not  have 
happened  without  NASA  —  a  fact  that's  worthy  of  note  at  a  time 

tech  R&D  initiatives,  which  in  the  past  led 
to  the  development  of  the  Internet,  GPS, 
lasers  and  ocher  now  widely  used  systems. 

OpenStack’s  beginnings  can  be  traced 
to  a  NASA  project  called  Nebula,  which 


compute  engine  code  as  open  source  under 


ity  when  it  came  to  this  being  a  truly  open  and  altruistic 

S  effort  rather  than  a  Rackspace-centric  effort  with  some 
ulterior  motive.  NASA  made  sure  it  was  for  everyone.” 

NASA  CIO  Linda  Cureton  is  emphatic  about  NASA’s 
role  in  the  development  of  the  technology.  “If  it  were 
not  for  NASA,  O^nStack  would  not  exist,"  she  said. 

NASA  raised  eyebrows  last  year  when  it  began  using 
an  Amazon.com  cloud  platform  that's  widely  seen  as  a 
ICk  OpenStack. 

“Sometimes  a  prophet  isn’t  appreciated  in  their  home- 
1C6  town,”  Cureton  said.  “But  I  predict  that  as  [OpenStack 
adoption]  increases  —  as  signaled  by  IBM’s  announce¬ 
ment  —  and  the  commercial  viability  continues  to  soar, 

, . . . .  NASA  will  be  a  consumer  of  the  very  capability  they 
helped  create." 

“This  is  the  way  it  should  work.  Our  operating  costs  will 
be  reduced,  and  we  will  help  fuel  the  economic  engine  of  our 
country,”  she  added. 

At  its  Pulse  conference  in  Las  Vegas,  IBM  announced  that  all 
of  its  cloud  services  and  software  “will  be  based  on  an  open  cloud 
architecture.”  At  the  same  time,  it  also  unveiled  new  private 
cloud  offerings  based  on  OpenStack. 

Long  a  major  supporter  of  Linux,  IBM  is  also  expected  to  be  a 
major  contributor  to  the  OpenStack  code  base. 


40  million  computer  users 
don't  trust  the  power  grid. 


what's  th*  next  step  in  your 
career?  *1  definitely  want  to 
continue  working  in  education. 
That’s  where  I  want  to  be.  My  next 
step  is  probably  a  COO  role,  where 
I  can  have  a  broader  view  of  the 
organization." 


What  accomplishment  are  you 
most  proud  of?  Tm  most  proud 
of  the  fact  that  I  made  the  switch 
to  a  nonprofit  and.  specifically, 
education.  Being  brought  into  the 
mission  of  the  work  and  the  impact 
that  organizations  like  Aspire  have  - 
that's  extremely  fulfilling." 


Hobbies:  "I  love  board  games 
and  puzzles,  and  I  do  tbem 
whenever  I  can." 


EMMILE  brack  leads  the  IT  department  at  Aspire  Public  Schools,  a  nonprofit  orga- 
nizotion  that  manages  34  public  charter  schools  throughout  California.  The  system 
serves  12.000  mostly  low-income  students  in  feindergorten  through  12th  grade,  and 
its  goal  is  to  get  all  graduating  seniors  accepted  into  /bur-year  colleges.  Brack  is 
Aspire’s  vice  president  of  technology.  She  says  her  department’s  task  is  to  make  sure  Aspire’s 
1.500  employees  and  its  students  have  the  technology  needed  to  transform  the  students’ 
educational  experiences.  Brack  says  one  way  her  team  is  meeting  this  goal  is  by  deploying 
analytics  tools.  Here  she  talks  about  the  lessons  she  has  learned  from  that  projKt. 

WM  dM  yoiir  oiiaiibatisa  want  to  acMm  with  the  analytics  dtptoyintiit?  The 

main  reason  ftir  wanting  to  deploy  analytics  software  was  to  save  time  for  our  teachers, 
principals  and  other  teammates.  We  did  a  needs  assessment  and  gathered  that  quite  a 
bit  of  time  was  being  spent  by  teammates  crunching  numbers  or  gathering  data  to  see 


Emmile 

Brack 


A  large  analytics 
project  offers  insight 
into  students’ 
academic  progress. 
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You'll  never  look  at  your 
protected  data 
the  same  way  again. 

Simpana*  10  software  is  more  than  just  an  upgrade  to  an  industry-leading 
solution  tor  protecting,  managing,  and  accessing  corporate  information 
It's  an  exponential  leap  forward. 

IT  Leaders  today  are  navigating  environments  of  widespread  change  to 
implement  solutions  that  meet  and  exceed  the  demands  brought  on  by 
massive  data  growth,  increased  mobility,  the  drive  to  cloud,  and  Big  Data. 
With  more  than  3CX)  new  features,  we  designed  Simpana  10  with  these 
challenges,  and  our  customers,  in  mind. 

Simpana  10  is  an  opportunity  to  riot  only  protect  your  data,  but  to  transform 
your  business  Enable  a  mobile  enterprise  and  dramatically  increase  productrvrty. 
Build  a  modern  IT  infrastructure  and  scale  to  new  heights.  Create  a  safe, 
efficient  intelligent  and  accessible  virtual  repository  of  all  protected  corporate 
data  and  make  better,  faster  business  decisions. 


introducing 

SIMPrWj® 

an  exponential  leap  forward 


The  name  Simpana  has  become  synonymous  with  holistic  data  protection  and 
recovery.  And  now  more  than  ever,  it  stands  for  a  core  platform  that  w«l  alow 
your  business,  technology,  and  people  to  work  more  smoothly  and  effectively. 
Isn't  it  time  your  organization  made  the  leap? 

Visit  wwMcanmnrMriUxHiiySiii^^ 
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What  was  the  biggest  mistake  you  made  with  this 
project?  when  we  implemented  the  data  warehouse 
and  Tableau,  the  laige  appetite  for  data  analysis 


U  A  lot  of  my 
team  is 
really  excited 
about  new 

technology  but  if  it’s  not 
grounded  in  work  that 
needs  to  get  done, 
it  doesn’t  really  matter. 


rolled  out  reports  and 
dashboards  that  have 
greatly  improved  effi¬ 
ciency  around  analysis 
and  allowed  our  teach¬ 
ers  and  principals  to 


What  has  been  the 
biggest  benefit  with 

this  analytics  depioy- 


lot  of  structure  around  how  they're  organized.  Si 
things  like  [how  to]  make  sure  they're  named  co 
rectly,  what  are  the  right  folders  they  should  be  i 
curity  issues  around  who  should  have  access  to  v 
—  that  knowledge  management  we  didn’t  neces: 
think  about  ahead  of  time.  It's  sort  of  biting  us  m 
that  there  are  literally  hundreds  of  reports  out  tl 
and  we’re  trying  to  figure  out  which  ones  are  me 


You  have  a  background  in  the  financial  and  opera¬ 
tions  side  of  the  house.  What  was  the  biggest  benefit 
of  having  experience  in  those  areas  as  you  switched 
to  leading  IT?  It  helps  me  understand  that  IT  should 
be  grounded  in  a  particular  process  and  should 


gitude  dau  on  a  specific  student 
performance.  We  take  what  we 
standardized  tests  that  all  stude 


What  was  the  biggest  liability  of  that  background? 

Because  I'm  not  a  highly  technical  person,  there 
was  a  learning  curve  [in,  for  example,  understand- 


we’ve  been  able  to  use  Tableau  to  visualize  trends  and 
the  performance  of  individual  students  and  teachers, 
and  schoeds  as  a  whole  and  as  an  organization  year  over 
year.  It’s  improving  the  ability  for  our  teachers  and  prin¬ 
cipals  to  be  mote  effective  in  their  work.  We  could  have 
done  it  without  Tableau,  but  for  a  teacher  or  principal  to 
do  that,  it  would  have  been  an  enormous  task. 

What  is  the  end  result  of  this  insight?  That  a  piece  of 
data  doesn't  provide  answers,  but  it  prompts  a  teacher 
to  ask;  Why? 

What  dM  you  have  to  do  to  pnpara  technically  for 
this  deptoyment?  We  buih  out  a  data  warehouse  that 
served  as  a  central  repository  for  all  of  our  organi¬ 
zational  data,  student  achievement  data,  financial 
data,  survey  data.  We  built  that  infrastructure  and 


ing  things]  as  simple  as  our  network  infrastructure. 

I  had  a  little  bit  of  a  blind  spot  to  very  fout)dational 
technology  that’s  necessary  to  support  things  like  the 
data  warehouse  and  analytics.  So  that  learning  curve 
has  been  a  little  bit  steep  for  me.  But  i  ask  good  ques¬ 
tions,  and  I’m  getting  up  to  speed. 

What  would  you  do  again  when  taking  on  a  new  role? 

[Recognizing  that]  it’s  all  about  the  team.  All  the  suc¬ 
cesses  we  experience  will  be  as  a  team.  Knowing  who 
I  have  on  the  team,  knowing  their  perspectives,  their 
work,  what  makes  them  excited  about  coming  to 
work,  I’d  do  that  again.  It  helps  build  trust  and  gives 
insight  into  what  our  issues  are. 

—  interuicu'  by  Computerworld  contributing  writer 
Mary  K.  Pratt  (marykpraU@verizon.nel) 
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VMware  virtualization 
has  saved  businesses 
billions  of  dollars. 

Here’s  how  we’re 
going  to  save  them 
billions  more. 

The 

Software-Defined 
Data  Center. 


Every  day  I 
work  with  | 
colleagues 
scattered 
around  the 
world. 


StcvM  J.  Vaughan- 
Nidiols  has  been 
writing  about 
technology  and  the 
business  of  technology 
since  CP/M-80  was 
cuning-edgeand 
300bps  was  a  fast 
internet  connection - 
and  we  liked  it! 

He  can  be  reached  at  I 
sjvn@vnal.cam.  I 


You  Want  Me  in  the  Office? 
How  20th  Century  of  You. 

IN  AN  AVERAGE  WEEK,  I  work  about  55  hours.  You  probably  won’t  be 
surprised  to  learn  that  I  work  from  home.  I  say  that  because,  in  my 
experience,  people  who  work  from  home  tend  to  work  harder. 

One  person  whom  that  tidbit  about  my  workweek  might  surprise  is 


Yahoo  CEO  Marissa  Mayer.  Or  maybe  she  would 
just  think  I'm  lying.  Mayer,  quite  famously,  has 
told  all  of  her  company's  telecommuters  to  spend 
time  and  gas  money  traveling  to  and  from  the 
office.  It's  part  of  her  plan  to  turn  the  struggling 
Internet  company  around.  Seriously.  And  she's 
not  alone.  Best  Buy  is  doing  likewise. 

Fools. 

Please  don’t  think  that  this  column  is  a  self- 
interested  rant,  motivated  by  a  fear  that  the 
anti-telecommuting  mentality  will  spread  until  1 
too  am  back  in  a  cubicle.  I’m  a  freelancer,  there’s 
no  office  for  me  to  return  to.  No,  the  fact  is  that  1 
know  that  telecommuting  has  many  advantages, 
for  both  employers  and  employees,  and  1  believe 
it  would  be  a  mistake  to  regress. 

The  thing  about  judging  a  telecommuting 
program  is  that  you  have  to  decide  what  you 
want  from  your  employees.  It’s  been  reported 
that  Mayer  looked  at  Yahoo’s  VPN  logs  and 
determined  that  too  many  telecommuters 
were  spending  too  little  time  on  the  company 
network.  More  soundly.  Best  Buy  had  relied  on 
a  policy  called  Results-Only  Work  Environment 
(ROWE),  which  looks  not  at  hours  on  the  job  but 
at  performance. 

ROWE’s  creators,  consultants  Cali  Ressler  and 
Jody  Thompson,  quickly  got  in  on  this  debate, 
sending  an  open  letter  to  Mayer.  In  the  1950s, 
they  wrote,  “collaboration  required  physical 
presence  and  lots  of  paper,”  but  today,  “we  have 
numerous  tools  that  allow  us  to  work  from  liter¬ 
ally  anywhere  on  the  planet.’’ 

Mayer  aigues  that  collaboration  suffers  when 
colleagues  aren’t  constantly  bumping  against 


each  other  in  hallways  and  the  cafeteria.  Well, 
every  day  1  work  with  colleagues  scattered 
around  the  world.  We  are  bound  together  by 
email,  instant  messaging  and  that  quaint  19th 
century  invention  called  the  telephone.  I’ve 
collaborated  on  books  with  people  who  lived 
thousands  of  miles  away.  This  very  column  is 
being  written  in  Asheville,  N.C„  and  it  will  be 
edited  in  Puerto  Rico,  copy-edited  and  formatted 
for  the  page  in  Massachusetts,  and  printed  in 
Illinois.  As  to  the  argument  that  there’s  no  real 

book  with  a  friend  of  over  20  years  who  I’ve  yet 

Sure,  not  every  job  is  suitable  for  telecommut¬ 
ing.  But  for  those  that  are,  there  are  multiple 
benefits.  As  David  Gewirtz,  author  of  How 
to  Save  Jobs,  has  noted,  Americans  spend  an 
average  of  52  minutes  a  day  commuting.  That 
comes  to  about  225  hours  a  year.  Most  telecom¬ 
muters  that  I  know  end  up  giving  that  extra 
time  to  their  employers.  They  sit  down  at  their 
workstation  earlier  and  get  up  from  it  later.  They 
aren’t  watching  the  clock  but  instead  working  on 
and  completing  tasks. 

And  what’s  the  price  of  all  that  extra  face  time? 
Will  companies  have  to  buy  or  rent  more  space  to 
accommiidate  the  workers  they  call  back  into  the 
office?  Are  they  ready  to  pay  for  the  power  those 
extra  bodies  will  use?  Are  they  going  to  need  more 
printers,  parking  spaces  and  support  staffers?  Put 
it  all  together  and  you  get  people  spending  less 
time  on  work  while  companies  spend  more  money 
on  office  infrastructure.  When  you  put  it  that  way. 
Mayer’s  big  idea  just  doesn’t  make  any  sense.  ♦ 
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As  enterprise  storage 
demands  escalate,  disk 
■  densities  continue  to  rise. 

But  the  real  magic  is  in  software, 
where  speed  and  size  come 
together.  By  Robert  L.  Scheier 


n 


OUGLAS  SOLTESZ,  vice  president  an( 
Budd  Van  Lines,  is  facing  a  common 
A  st>(*ming!y  endless  flood  of  data. 
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If  he  had  twice  as  much  capacity,  he  says,  his  usess 
would  |ust  ask  to  keep  their  video  twice  as  long. 

With  existing  hard  drive  technologies  ending  their  de- 
cade-long  run  of  ever-increasing  densities,  IT  shops  are 
waiting  for  new  technologies  such  as  shingled  magnetic 
recording  (SMR)  and  phase-change  memory  (PCM) 
to  boost  storage  densities.  In  the  meantime,  they  ate 
holding  down  costs  —  and  boosting  data  access  —  with 
software  that  virtualizes,  deduplicates  and  caches  data 
on  commodity’  disk  drives,  solid-state  drives  (SSD)  and 
server-side  flash  memory. 

Disk  Density  Gets  Higher  Stiil 

After  about  to  years  of  steadily  increasing  densities, 
disb  that  use  perpendicular  magnetic  recording 
(PMR)  are  topping  out  at  about  iTB  per  square  inch, 
says  Mark  Re,  a  senior  vice  president  at  storage  vendor 
Seagate  Technology. 

In  the  second  half  of  this  year.  Seagate  will  begin 
shipping  drives  that  use  SMR  to  squeeze  more  data 
onto  disks  by  overlafping  the  data  tracks  on  them  like 
shingles  on  a  roof,  says  Fang  Zhang,  a  storage  analyst  at 
IHS  iSuppli.  That  should  eventually  boost  drive  densi¬ 
ties  to  1.3T  to  1.4T  bits  per  square  inch,  says  Re,  who 
adds  that  Seagate's  SRM  drives  will  start  with  desktop 
form  factors  and  spread  to  other  platforms  such  as 
storage  arrays  next  year. 


If  yoMiave  me  an  infinite  amount 
ofsto^lcouldfill'it. 

MaeutMimi. 


The  next  advance,  which  will  take  disk  drives  to 
STbits  per  square  inch,  is  heat-assisted  magnetic 
recoiding  (HAMR),  which  uses  a  small  laser  to  change 
the  magnetic  properties  of  the  disk,  says  Re.  Seagate's 
first  HAMR  drives  are  expected  in  2015  or  2016. 

In  the  fdunh  quarter  of  this  year,  Seagate  rival 
Western  Digital  is  expected  to  release  disk  drives  filled 
with  helium,  which  provides  less  resistance  than  air 
and  thus  allows  the  addition  of  another  storage  platter 
or  two  to  a  drive.  Those  extra  platters  could  lift  the 
maximum  capacity  of  PMR  drives  from  today's  4TB  to 
5TB  or  6TB,  says  Zhang  Western  Digital  says  it  also 
plans  to  release  SMR  and  HAMR  drives  within  about 
two  years,  and  by  the  end  of  the  decade  it  hopes  to 
double  hard  drive  density  through  the  use  of  self¬ 
assembling  molecules  and  nanoimprinting. 

On  the  flash  memory  front,  vendors  are  working  to 
increase  not  only  the  density,  but  also  the  useful  capac¬ 
ity  and  Ufe  span  of  flash  memory  used  in  server-based 
flash  storage  and  SSDs. 

The  NANO  flash  on  which  most  flash  and  SSD 


drives  are  based  will  begin  to  be  replaced  by  a  new 
form  of  nonvolatile  memory  called  phase-change 
memory  by  around  2016,  says  Milan  Shetti,  CTO  at 
HP  Stor^.  Unlike  magnetic  recording  that  records 
data  by  changing  the  magnetic  orientation  of  a  physi¬ 
cal  piece  of  memory,  PCM  applies  heat  to  change  the 
electrical  conduaivity  of  the  media.  PCM  drives  are  not 
only  faster  than  NAND  flash,  but  their  memory  cells 
can  also  withstand  two  to  three  tintes  the  number  of 
tead/write  cycles  as  NAND  flash,  says  Haris  Pozidis, 
manager  of  memory  and  probe  technologies  at  IBM's 
Zurich  research  lab.  That's  important  for  applications 
such  as  caching  where  data  is  constantly  being  read  and 

Shetti  predicts  initial  drive  capacities  of  about  200 
to  2soGB,  with  drive  sizes  at  least  doubling  by  zotS. 

He  stresses  that  this  will  all  be  usable  capacity,  which 

of  raw  capacity  is  set  aside  to  replace  cells  that  may 
wear  out.  Shetti  says  he  expects  prices  per  gigabyte  to 
be  comparable  to  those  of  current  flash  drives.  That 
equates  to  a  t5%  to  20%  price  cut,  since  all  of  the  raw 
capacity  will  actually  be  usable. 

D«dupe:  A  Must-Have  Feature 

Over  the  past  10  years,  deduplication  —  the  process  of 
eliminating  duplicate  copies  of  data  —  has  moved  from 
game-changing  novelty  to  must-have  featute. 

Observers  say  not  to  expect  any  breakthrorrgh 
increases  in  the  amounts  of  data  that  deduplication 
can  remove  from  hard  drives.  Currently,  deduplication 
typically  reduces  data  by  a  factor  of  seven  to  10.  Future 
improvements  will  come  from  increases  in  the  speed 
at  which  data  is  deduplicated  and  from  the  use  of  stan¬ 
dard  deduplication  systems  across  an  enterprise. 

Speeds  will  improve  as  a  result  of  deduplication 
being  performed  in  hardware  rather  than  software, 
and  in  nonvolatile  memory  such  as  PCM.  which  is 
faster  than  today's  NAND  flash,  observers  say.  Predict¬ 
ing  that  “every  [nonvolatile  memory]  controller  is  going 
to  have  [deduplication]  built  in,"  Shetti  also  points  out 
that,  unlike  disk  drives,  deduplication  doesn't  cause 
defragmentation  on  nonvolatile  memory  drives. 

In-line  deduplication,  in  which  data  is  deduped  before  it 
is  ever  stored,  reduces  stor^  requirements  from  primary 
storage  to  backup  and  replicated  copies.  Pure  Storage  says 
its  in-line  data  deduplication  allows  its  flash  arrays  to  store 
five  or  to  times  as  much  data  as  their  designated  size. 

Observers  also  expect  to  see  deduplication  spread 
from  its  traditional  use  in  backup  to  other  a)q>lications 
and  to  more  computing  and  storage  devices.  Dell  says 
it  plans  to  incorporate  the  deduplication  technol¬ 
ogy  it  gained  through  its  purchase  of  Ocarina  into  its 
EqualLogic  and  Compellant  product  lines,  “first  with 
compression  primarily  for . . .  data  like  snapshots,"  and 
later  for  more  frequently  accessed  data  and  files,  says 
Travis  Vigil,  executive  director  for  product  marketing 
at  Dell  Storage. 

Sean  Kinney,  director  of  product  marketing  at  HP 


Ensuring  an  always-on  data  center  has  the 

highest  operational  efficiency 

PETER  PANFIL  J 

Why  the  power  to  save  energy  goes  beyond  eco-mode 


AVAIIABIUTY  is  the  HKHESr  PnORITY 

of  any  data  center,  and  the  UPS 
system  is  the  keystone  that  ensures 
the  data  center  is  always  powered. 
At  the  same  time,  cost  savings  and 
energy  efficiency  are  common  business 
priorities.  When  planning  for  a  UPS,  it  pays  to 
consider  multiple  efficiency  strategies  that  will 
effectively  support  availability  requirements. 

Avoid  the  Ratings  Game 

Thanks  to  advances  in  UPS  technology,  the 
potential  to  cut  energy  costs  by  tens  of 
thousands  of  dollars  annually  has  never  been 
greater.  But  don’t  be  swayed  by  a  1  or  2% 
efficiency  difference  unless  availability  for  the 
data  center  is  the  same  for  each  UPS  option. 

Higher  Voltage  =  Bigger  Savings 

It  might  sound  strange  to  think  that  increasing 
your  system  level  voltage  can  actually  save 
money,  but  it  can  —  and  a  lot  of  it  575/6(K)VAC 
from  the  source,  through  the  UPS  and 
distribution,  uses  more  of  the  available  capacity 
of  gear,  breakers  and  wiring.  Adding  a  PDU 
that  compartmentalizes  faults  and  runs  the  IT 
equipment  at  its  highest  efficiency  point  delivers 
the  most  bang  for  the  buck. 

Think  Eco-intelligent 

Eco-mode  has  done  wonders  for  improving  UPS 
efficiency,  but  it  comes  with  a  cost:  some  methods 
of  switching  to  eco-mode  and  back  again  may 
leave  availability  vulnerable.  Ask  the  UPS  supplier  ’ 
to  explain  how  the  equipment  safely  switches  to 
and  from  eco-mode,  and  ask  to  see  the  waveform 
at  the  point  of  transfer  to  ensure  that  the  power  is 
free  of  disruptive  notches. 


Total  Data  Center 
Energy  Consumption 
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By  the  Numbers* 


Energy  use  of  infrastructure 
equipment— cooling.  UPS. 

PDU  and  lighting 

Growth  rate  of  electricity 
consumption  globally  between 
2005  and  2010 

Estimated  cost  to  operate  a  server 
annually  in  a  typical  data  center 

Estimated  savings  achieved  by 
deploying  a  UPS  with  higher 
voltage  and  Intelligent  Eco-mode 


how  you  can  save  thousands  each  year  in  reduced  power 
consumption.  Co  to  EmersonNetworkPower.comjKnovvyPS  to 

access  our  resource  center  and  checklist  :• 
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TO  THE  RESCUE; 

Old,  Slow  Disk  and  Tape 

vE\  AS  RCSEARCHERS  FIDDLE  With  material  scl€nce  and  soft¬ 
ware  developers  fine-tune  clustered  file  systems,  two  old  stand¬ 
bys  -  slow,  cheap,  spinning  disk  and  even  older  tape  drives  - 
are  playing  a  crucial  role  in  managing  the  storage  flood. 


Before  moving  to  the  Nexanta  NAS/SAN  platform, 
Budd  Van  Lines  had  relied  on  a  Compellent  SAN. 
While  it  wasn’t  full,  “it  was  running  out  of  lOPS”  to 
handle  a  growing  number  of  queries  among  applica¬ 
tions  for  work  such  as  month-end  accounting,  he  says. 
To  provide  that  performance,  the  NexantaStor  plat- 


Storage.  predicted  the  rise  of  unif 
platforms  that  organizations  can  i 
applications  and  storage.  That,  he 


Performance  Meets  Speed 

Some  users  aren't  upgrading  their  storage  systems  solely 
because  they  need  help  managing  large  volumes  of  data; 
they're  also  driven  by  the  need  to  access  data  quickly. 

Case  Western  Reserve  University  is  moving  looTB 
of  research  file  dau  from  an  EMC  Celerra  NS480  to  a 
Panasas  ActheStor  8  for  rapid  analysis,  and  another  65TB 
ofstructured  administrative  data  toa  Nexsan  NST  5310. 
Besides  higher  performance,  users  wanted  to  create  single 
name  spaces  as  b^  as  600TB  —  far  above  the  64TB  limit 
of  both  EMC  and  NetApp  offerings,  says  Brian  Christian, 
design  senior  technical  lead  at  the  school. 

"Our  first,  small,  high-performance  cluster"  used  a 
trarlitional  NAS  device  acting  as  Network  File  Server, 
"and  we  overloaded  it.  After  ulking  with  our  peers,  we 
saw  that  to  grow  as  we  needed,  we  needed  a  parallel 
NAS.  That’s  when  we  acquired  Panasas,"  says  Christian. 

To  boost  performance,  many  customers  are  using 


among  those  turning  away  from  proprietary  hardware 
and  software  to  commodity  disk  managed  ^  software. 

“When  I  joined  three  and  half  years  ago.  our  primary 
way  of  scaling  was  to  buy  mote  storage,  fester  storage, 
and  bigger  and  faster  daubase  servers,"  says  CTO  Stefan 
Piesche.  To  reduce  costs  even  while  his  storage  needs 
grow  15%  to  25%  per  year,  he  is  switching  from  IBM's 
DB2  database  running  on  3Par  SANs  to  the  open-source 
MySQL  and  Cassandra  NoSQL  databases  running  on 
Dell  servers,  commodity  disk  and  Fusion-io  flash  cards. 

This  new  platform,  he  says,  is  not  only  an  “order  of 
magnitude  faster"  than  its  older  storage  but  delivers 
high  performance,  availability  and  disaster  recovery 
without  the  need  for  extensive  management.  The  per¬ 
formance  gain  achieved  by  writing  data  to  six  storage 


He  also  notes  bis  custmnets  won’t  sufler  if  the  market¬ 
ing  dau  stored  in  one  of  those  copies  is  a  few  millisec¬ 
onds  out  of  date  —  although  that  wouldn’t  be  true  for  a 
financial  trading  system  where  prices  constantly  change. 

“Sharding,"  or  splitting  databases  also  helps  ConsUnt 


FROM  LUXURY  CAR  SERVICE 
TO  SOFTWARE  AS  A  SERVICE. 
A  BUSINESS  TRANSFORMED. 
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FROM  LUXURY  CAR  SERVICE 
TO  SOFTWARE  AS  A  SERVICE. 
A  BUSINESS  TRANSFORMED. 


When  pioneering  ground  transportation  company  EmpireCLS 
decided  to  transfprm  their  business  model  by  offering  their 
proprietary  dispatch  and  reservation  systems  software  to 
other  companies,  they  chose  the  sophisticated  datacenter 
capabilities  of  Windows  Server  2012 

With  built-in  features  replacing  an  expensive  third-party 
networking  solution,  and  less  need  for  specialized  support, 
EmpireCLS  was  able  to  rapidly  provision  a  growing  customer 
base  while  reducing  IT  costs  by  30%.  With  operational 
efficiencies  driven  by  Windows  Server  2012.  innovation  is 
taking  a  front  seat  at  EmpireCLS. 

Read  more  about  EmpireCLS  s  success  and  see  whof  you  can  do 
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Contact  scale  easily,  he  says.  "We  can  put  a  set  of  custom¬ 
ers  on  Databases  A.  B  and  C,  [which  are]  usually  multiple 
instances  of  the  same  database  with  the  same  schema. 
We  want  them  to  be  idehtical  and  on  commodity 
hardware,  to  keep  our  operational  costs  low,  so  its  a  non- 
event  to  toll  out  a  new  one.  For  50.000  customers,  we 
add  two  commodity  database  servers  running  MySQL." 
with  no  performance  hit  on  other  users,  says  Piesche. 

Another  vendor  in  this  space  is  CommVault,  which 
says  its  Simpana  software  platform  cuts  storage  costs 
by  up  to  50%,  administrative  overhead  by  up  to  80% 
and  annual  support  costs  by  up  to  35%  by  reducing  the 
number  of  copies  of  data  stored  as  well  as  the  number 
of  storage-related  applications  to  buy  and  maintain. 


For  tke  vast  majority  of  people 
ttiefeSsDO  such  thing  as 
adaliiiffission. 

GREG  SCHULZ. 


Sanboiic  claims  its  Melios  data  management  platform 
provides  high  availabiUty,  application  scale-out  using 
shared-data  server  clusters,  fast  access  to  any  size  files 
in  a  variety  of  workloads,  and  is  scalable  to  more  than 
a.ooo  physical  or  virtual  nodes  and  up  to  65.000  storage 
devices.  Its  Latency  Targeted  Allocator  allows  the  Melio 
platform  to  share  server-side  flash  and  SSDs  within 
storage  arrays,  as  well  as  conventional  hard  drives, 
across  nodes.  This  eliminates  single  points  of  failure  and 
hatd-to-access  data  and  application  silos,  says  CEO  and 
coTbunder  MottKhil  MichaUov. 

Some  newer  vendors  package  their  software  in 
the  form  of  physical  hardware  with  disks  and  proces¬ 
sors.  Cridstore's  storage  appliances  virtualize  storage 
controllers  as  weU  as  data  to  eliminate  single  points 
of  failure  and  provide  faster,  parallel  data  access  from 
many  servers.  This  allows  the  number  of  controllers 
to  grow,  tapping  unused  computing  power  to  scale 
performance  as  well  as  capacity.  However,  it  currently 
supports  ordy  Windows  and  file-based  storage. 

Another  software-based  approach  to  scalability  is 
distributing  "slices"  of  data  over  many  physical  databases. 
Clevetsafe's  dsNet  technology,  also  sold  as  appliances, 
works  best  with  more  than  a  petabyte  of  storage,  made 
up  of  objects  more  than  50  to  100KB  in  size.  This  is  ideal, 
says  President  and  CEO  Chris  Gladwin,  for  applications 
such  as  photo  sharing  over  the  Web. 

WtiarsNext 

As  hard  drives  get  bigger  and  faster,  flash  gets  bigger 
and  mote  reliable,  and  open-source  storage  stacks 
mature,  some  industry  watchers  see  fundamental 


changes  in  how  organizations  cope  with  the  data  flood. 

With  the  adoption  of  new  nonvolatile  memory 
technologies,  the  need  for  tiering  data  between  solid 
state  and  spinnir^  disk  will  diminish  as  new  technolo¬ 
gies  become  cost-competitive  with  higher-end  Fibre 
Channel  and  SAS  disks,  predicts  Shetti.  Higher- 
capacity,  lower-cost  SATA  disks  will  still  have  a  role, 
but  he  says  the  complexity  of  packaging  and  different 
software  interfaces  will  discourage  users  from  mixing 
nonvolatile  memory  and  SATA  in  the  same  system. 

Within  three  to  five  years,  the  price  of  flash  drives 
will  be  somewhere  around  the  same  cost  as  high 
performance  disk,  says  Hu  Yoshida,  CTO  at  Hitachi 
Data  Systems.  They  ate  already  at  parity,  he  says,  when 
the  capacity  of  the  hard  drives  is  r^uc^  by  short- 
stroking  (using  only  part  of  the  disk  capacity  to  speed 
performance  by  reducing  the  distance  the  read/write 
heads  must  travel  (o  reach  the  data)  and  by  writing 
data  across  multiple  disks  in  RAID  data  protection 
configurations. 

Even  commodity  hard  drives,  however,  will  gain 
speed  as  vendors  add  more  cache  to  them.  Seagate 
expects  such  "hybrid"  drives  to  make  up  most  of  its 
product  line  by  the  middle  of  the  decade. 

Cloud  storage  services  will  provide  slow  but 
extremely  low-cost  archiving  services  to  reduce  the 
in-house  storage  load.  Amazon  Glacier,  for  example, 
costs  as  little  as  1  cent  per  gigabyte  per  month.  While 
“it  could  take  three  to  five  hours  to  retrieve  that  data,” 
that  might  be  no  longer  than  it  would  take  to  restore 
data  from  tape  stored  offsite  —  and  Glacier  would  be 
cost-competitive  with  tape,  says  Greg  Schulz,  founder 
of  consultancy  StoragelO. 

“Object  stores  can  reduce  storage  costs  and  com¬ 
plexity  by  eliminating  the  need  for  hierarchical  file 
systems,"  says  Gladwin.  “In  a  very  large  data  storage 
system,  running  a  file  system  [requires]  additional 
racks  of  servers”  that  consume  power,  take  up  space 
and  cost  money.  With  an  object  store,  he  says,  an  appli¬ 
cation  such  as  a  social  media  website  lets  a  user  search 
for  friends  without  using  a  file  system. 

Meanwhile,  IT  shops  continue  to  be  drawn  to  the 
cloud  s  combination  of  cost  efficiencies,  low-cost  hard¬ 
ware  and  low-cost,  open-source  software. 

Constant  Contact,  for  example,  is  considering  “private 
storage  clouds,"  possibly  using  open-source  software, 
on  the  system  of  a  provider  such  as  Amazon  S3,  for  the 
low  costs  and  “almtsst  unlimited  horizontal  scale"  they 
can  deliver,  says  Piesche.  Using  Cassandra,  for  example, 
he  says  he  would  like  to  scatter  storage  clusters  among 
distributed  data  centers  for  disaster  recovery  “without 
any  licensing  costs,  without  any  complicated  setup  and 
without  any  manual  intervention." 

The  replication  capabilities  he  needs  aren’t  avaibble 
yet.  But  be  has  to  keep  looking  because,  as  Schulz  says. 
“For  the  vast  majority  of  people  there’s  no  such  thing  as 
a  data  recession."  ♦ 

Sdwler  is  a  veteran  lecfinology  writer.  He  can  be  reached 
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Better  NAND,  Lower  Cost,  Smarter  SSD's 
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with  managing  data  storage.  They  demand  simplicity 
(but  want  power,  too).  By  Kevin  Fogarty 


1 


HE  TORRENT  OF  DATA  that  threatens  to 
overwhelm  many  corporate  IT  departments 
has  driven  demand  for  new  types  of  storage 
technology.  Storage  managers  aren’t  asking 
for  ever-larger,  ever-more^omplex  boxes  like 
those  that  play  leading  roles  in  traditional 
marketing  campaigns  and  vendor  bragfests. 
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SPOTLIGHT  I  STORAGE 


Storage  managers  need  faster,  higher-capacity  hardware  to 
keep  up  with  volumes  of  data  that  neaify  double  every  two  years. 

What  they  need  even  mote,  however,  is  simplicity. 

"With  budgets  growing  slowly  and  head  counts  actually 
going  down  a  bit,  the  challenge  eventually  becomes.  How  do 
you  manage  30%  more  data  without  30%  more  budget  or  30% 
more  bead  count?”  says  Dick  Csaplar,  a  virtualization  and 
storage  analyst  at  Aberdeen  Group. 

Aberdeen's  research  indicates  that  most  companies  have 
between  eight  and  18  storage  specialists  on  staff,  most  with  job 
descriptions  that  have  been  expanding  for  years, 

“It’s  not  enou^  to  know  which  box  in  the  warehouse  has  the 
tape  with  the  data  you  need,"  says  Csaplar.  “You  have  to  be  able  to 
run  e-discovery  searches  and  produce  the  data  within  strict  time 
limits.  That’s  a  big  change  even  with  the  same  amount  of  data." 

Simply  storing,  tracking  and  securing  vast  amounts  of  data 
is  a  challenge  fc>r  any  IT  department,  but  the  oceans  of  data 

are  to  blame  only  for  the  demand  for  storage  space,  not  for  IT’s 

limited  ability  to  deal  with  it,  according  to  IDC  storage  analyst 
Ashish  Nadkarni. 

IT’S  real  difficulty  —  the  lack  of  storage  specialists  and, 
ultimately,  the  need  for  simpler  solutions  to  complex  storage 
problems  —  started  with  one  of  the  biggest  wins  corporate  IT 
has  ever  had:  server  virtualization,  Nadkarni  says. 


"We  have  the  file  servers  and  VPN  and  whatever  else,  so 
we  could  have  just  set  up  a  file-share  ourselves,"  says  Bill 
O’Donnell,  chief  architect  at  Kayak.  "It’s  less  of  a  headache 
to  use  Dropbox  than  it  is  to  provision  a  big  RAID  array  in  the 
server  room  and  set  up  LDAP  groups  and  work  through  issues 
with  the  VPN  and  answer  calls  from  people  in  |the]  Zurich 
[office]  who  hate  using  it." 

Kayak  uses  the  year-old  Dropbox  for  Teams  service,  which 
acts  as  a  central  repository  for  teams  of  any  size,  keeping  every¬ 
one  up  to  date  using  Dropbox  client  software  that  automatically 
replicates  any  changes  made  on  the  service  to  whatever  device 
a  team  memher  is  using  at  the  time. 

The  service  costs  $795  pet  year  for  five  team  members  and 
$125  for  each  additional  member.  There  is  no  Umit  on  the 
amount  of  space  they  can  use,  but  a  Teams  account  starts  with 
1  terabyte  of  storage,  according  to  Dropbox. 

“Doing  it  ourselves  would  be  time^ronsuming  and  frustrat¬ 
ing,  and  Dropbox  is  pretty  easy  and  people  know  we’ll  get  those 
files  onto  their  disks  without  their  having  to  do  much  about  it,” 
O’Donnell  says. 

Dropbox  fiir  Teams  encrypts  data  being  transmitted  across 
the  Internet  and  gives  administrators  a  simple  interface  that 
telb  them  which  team  members  are  lo^ed  in  and  from  where. 
It  can  also  link  or  unlink  applications  to  data  on  the  service  and 


The  diafenge  eventually  beomies,  How  do  you  manage  30%  more 
data  wiiioiit  30%  more  budget  or  30%  more  head  count’ 


Virtualized  systems  are  mote  efficient  than  older  equipment, 
and  they  chang^  IT  in  fundamental  ways.  Rather  than  having 
one  group  of  specialists  responsible  for  all  the  storage,  another  re- 
sponsiUe  for  applications  and  a  third  for  servers,  Nadkarni  says, 
responsibility  fbr  all  three  feU,  usually,  to  a  single  administrator. 

That  change  was  so  fundamental  that  it  rippled  throughout 
IT,  forcing  organizational  changes  designed  to  match  what  the 
company  was  trying  to  accomplish  with  virtual  servers,  virtual 
apps,  nwbile  devices,  cloud  platforms  and  all  the  other  follow- 
on  technologies,  Csaplar  says. 

“Uhimately,  everything  else  has  to  get  simpler  because 
virtual-server  admins  don’t  have  time  to  learn  a  lot  of  overly 
complex  interfaces,”  Kerns  says. 

FindinK  Efficiency  in  the  CIoikI 

IT  found  some  of  the  simple  efficiency  it  needed  in  the  same 
technology  blamed  for  at  least  part  of  the  flood  of  data  that  is 
drowning  IT:  the  cloud. 

Discount  travel  website  Kayak.com,  for  example,  found  that 
building  file-sharing  systems  that  its  developers  could  use  to  ex¬ 
change  code,  graphics  and  other  files  was  far  more  complicated 
and  troublesome  than  just  handing  the  job  off  to  Dropbox  —  a 
Web  service  that  has  become  the  poster  child  for  free,  unmoni- 


log  all  activity  to  give  admins  a  simjde  view  of  everything  at 


Dropbox’s  Teams  service. 

Since  early  February,  Teams  bas  also  supported  two-bctor  au¬ 
thentication,  which  increases  security  by  requiring  not  just  a  user’s 
username  and  jiasswotd  but  also  a  jMssoode  torn  a  separate  device 
only  the  user  holds. 

Other  cloud  services  are  also  adding  business-friendly 
management  features,  but  cloud-based  storage  has  proved  itself 
secure  and  relicble  enough  for  many  companies  to  use  the  same 
version  that  consumers  use,  according  to  Randy  Kerns,  a  senior 
strategist  at  Evaluator  Group,  a  storage  consultancy. 

“Information  is  leakingout  everywhere  —  mobile  devices, 
personal  cloud  accounts,  borne  devices,  you  name  it,"  Kerns  says. 

That  kind  of  “leak”  and  the  decision  to  use  cloud  services 
aimed  at  consumers  may  look  like  red  flags  to  traditional  IT 
storage  managers  but  are  actually  reasonable  accommodations 
to  both  the  needs  of  users  and  the  reality  of  short-staffed  IT 
departments,  he  says. 

“People  inside  a  company  look  for  the  simplest  way  to  gei 
something  done,  which  has  been  a  big  force  in  cloud  and 
mobile  and  other  areas,"  Kerns  says.  “IT  has  had  to  react  to 
that,  so  they’re  asking  for  ways  to  monitor  who’s  doing  what 
[and  create]  some  kind  of  tracking  for  the  dau." 


aoud:  Not  the  Whole  Problem 

Using  the  cloud  (or  discrete  functions  like  file  sharing  for  a 
single  department  or  SaaS  application  instead  of  one  installed 


information  management  infrastructure  easier  to  access  and 
easier  to  apply,"  Kerns  says.  That's  exactly  what  EMC  did  last 
year  when  it  adapted  the  popular  software  that  controls  its 


very  slowly  the  enterprise 
[vendors]  are  catching  up." 
The  key  to  simple  storage 
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quickly?’  and  'Can  we  do 
it  simply?'"  Nadkarni  says. 
"Virtualization  cteated  a 
huge  shift  in  how  storage 


the  big  vendors  that  the  big 
guys  [like  IBM,  HDS,  EMC 
and  NelApp]  may  not  catch 
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tion  decisions. 

“Efficiency  comes  from  automation,  and  a  lot  of  the  automa- 
lifMi  is  coming  from  things  like  FAST  —  from  storage  optimiza¬ 
tion  software  from  other  verxlors  that  allow  storage  to  be  easily 
managed  without  people  having  to  deal  with  performance 
issues  or  spend  hours  moving  data  from  (Mie  place  or  another,'* 
Nadkarni  says. 

Most  of  the  big  storage  vendors  talk  as  if  they’re  more  ad¬ 
vanced  than  they  actually  are,  however,  Kerns  says. 

“The  issue  is  more  than  just  how  to  make  things  more  user- 
ftiendly.  They  need  to  make  the  core  functions  of  the  whde 


management]  from  a  differ¬ 
ent  direction,  almost  coming 
from  the  bottom  up  to  eat  things  like  FAST  and  the  other 
IT-focused  things,"  O’Donnell  says.  “Synology  suited  more  as  a 
home  or  small  business  thing,  but  that  console  is  incredil^.  It’s 
windowed,  interactive,  almost  like  a  Windows  system..  You’d 
have  killed  to  have  it  lo  years  ago. 

“The  bar  for  how  good  a  user  interface  or  management 
system  is  has  been  raised,  a  lot  ”  O’Donnell  sjys.  “The  biggu)'s 

Fogarty  writes  about  enterprise  IT.  You  can  ftAUw  him 
on  TWiffer  {@KevinFpgarty). 
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SECURITY 


From  phishing  your  own 

employees  to  sharing  your 

malware  attacks,  an  8i%  inc 

company’s  hack  history,  these 

and  reported  a  35%  increase 

techniques  can  help  you  get 

1  ■  variants.  Those  findings,  do 

cumented  in  tl 

-  and  keep  -  users’  attention 

H  company’s  latest  annuarin 

Threat  Report,”  might  cause  ITleaders  to  ■ 

temet  Securit) 
wonder  if  they’i 

about  security,  by  stacy  collett 

1  doing  everything  possible  to  protect  theii 

:  organizations. 

one  of  the  links  on  the  she?  Explaining  such 
risks  ahead  of  time,  and  in  a  way  that's  specific 
to  the  department's  line  of  business,  helps 
ensure  the  group  will  do  what's  necessary  to 
mitigate  damage.  Harkins  sa)^. 

Real-world  examples  can  also  drive  the 
message  home.  When  a  data  breach  makes  the 
news,  use  it  as  a  teaching  tool  —  in  training 
classes,  via  email  or  through  video  presenta¬ 
tions.  Discuss  the  likelihood  of  a  similar 
breach  occurring  in  your  organization.  Ask: 
How  would  a  breach  like  this  have  affected 
our  company?  What  people  or  business  unhs 
should  remain  extra  vigilant  against  a  similar 


struggling  to  establish  policies  and  procedures  risks  ahead  of  time,  and  in  a  way  that's  specific 

Compliance  [with  to,hed^rtmentsli.«ofbunness,helps 

often  fo^t  a  crucial  Step,  experts  say:  com-  .  ^  ensure  the  group  will  do  what  s  necessary  to 

municating  their  security  goals  effectively,  so  1116  COmpaHy’S  mitigate  damage.  Harkins  sa)^. 

that  employees  not  only  follow  the  security  CPCUritV  DOllCVl  IS  Real-world  examples  can  also  drive  the 

procedures  but  also  understand  the  reason  for  '  ^  message  home.  When  a  data  breach  makes  the 

having  a  security  policy  and  embrace  its  goals.  necessary,  but  it's  news,  use » as  a  teaching  tool  —  in  training 

"Compliance  is  necessary,  but  it’s  not  suf-  mm*  Cliff  ICiCIlt  classes,  via  email  or  through  video  presema- 

ficient,”  says  Malcolm  Harkins,  vice  president  tions.  Discuss  the  likelihood  of  a  similar 

and  chief  information  security  officer  at  Intel.  MAICOM  HARK  IMS.  VICE  PRESIDENT  breach  occurring  in  your  organization.  Ask: 

Harkins'  goal  is  to  get  employees  to  go  beyond  AND  CHIEF  INFORMATION  SECURITY  How  would  a  breach  fike  this  have  affected 
compliance  toward  full  commitment  to  pro-  OFFICER.  INTEL  our  company?  What  people  or  business  units 

tecting  the  company's  information.  "If  they’re  should  remain  extra  vigilant  against  a  similar 

committed  to  doing  the  r^t  thing  and  pro-  attack?  What  security  measures  do  vou  already 

tecting  the  company,  and  if  they're  provided  have  in  place  to  protect  against  such  an  attack? 

with  the  right  information,  [then]  they’ll  make 

reasonable  risk  decisions.”  H  ^  H  0^  Go  Phlshing,  Internally 

Tobesure.emplojeesdon'tplayarolein  r  ^  Another  effective  technique  is  to 

every  type  ofcorporate  security  breach  (see  ^  *^“™^*™“lAted  phishing  scams, 

chart).  But  user  behavior  and  noncompliance  Then  see  how  many  employees  take 

are  implicated  in  many,  including  mobile  the  bait,  and  offer  advice  on  avoidii^ 

advanced  target  attacks.  In  the  face  of  such  Royal  Phili[K  Electronics  recently  launched 

an  onslaught,  a  wall  poster  of  security  tips  a  pilot  program  ofcontrolled  phishing  attacks, 

hanging  in  the  break  room  is  useless,  says  Julie  says  Nick  Mankovich,  chief  information 

Peeler,  foundation  director  at  the  International  securit)'  officer.  Working  with  a  professional 

Information  Systems  Security  Certification  Consortium  —  also  i  phishing  partner,  whom  Mankovich  declined  to  name.  Philips 

known  as  (ISC)^  —  a  global,  nonprofit  oiganization  that  educates  simulates  an  email  scam  that  tries  to  get  employees  to  click  a  link 


2  Go  Phishing,  Internally 

Another  effective  technique  is  to 
launch  simulated  phishing  scams. 
Then  see  how  many  emplojees  take 
the  bait,  and  offer  advice  on  avoidii^ 
similar  lealwoifd  scams. 

Royal  phili[»  Electronics  recently  launched 
a  pilot  program  of  comrolled  phishing  attacks, 
says  Nick  Mankovich,  chief  information 
securit)'  officer.  Working  with  a  professional 
,  whom  Mankovich  declined  to  name.  Philips 


IPut  Threats  into  Context 

People  don’t  internalize  security  best  practices  by 
simply  being  told  what  to  do  or  by  being  scared  into 
compliance.  Peeler  says.  And  Harkins  agrees:  “You 
don't  want  to  spin  infermation  security  compliance  as 
fear,”  he  says.  "Fear  is  like  junk  food  —  it  can  sustain 
you  for  a  bit,  hut  in  the  long  run  it's  not  healthy.” 

Instead,  both  experts  say,  employees  are  more  likely  to  be 
motivated  into  compliance  if  security  managers  can  put  risk  into  a 
context  that  relates  to  them  directly.  Most  employees  know  that  a 
security  breach  affects  not  just  data,  but  also  the  company's  brand 
and  reputation.  But  Harkins  notes  that  employees  in  some  busi¬ 
ness  units  might  not  fully  understand  that  they  could  play  a  role  in 
a  breach  just  by  doing  what  they  consider  business  as  usual. 

A  marketing  team,  tor  instance,  mi^t  want  to  launch  a  new 
interactive  website  ahead  if  its  competitors,  he  explains.  The 
website’s  content  might  seem  harmless  if.  for  example,  it  doesn’t 
include  intellectual  property  —  just  a  few  interactive  screens  and 
videos.  But  what  if  a  third-party  provider  that  helped  develop  the 
site  left  vulnerabilities  that  allow  a  hacker  to  implant  malware  in 


Backdoor  or  commarxf-and-controf  channel  hacking  17% 
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And  well  they  should.  Sectirity  folks,  in 
struggling  to  establish  p(»licies  and  pr<x.*edua*s 
that  are  l>oth  effective  and  easy  to  iinpleinerit, 
often  forget  a  crucial  step,  experts  say:  com¬ 
municating  their  security  goals  effectively,  vi 
that  employees  not  only  folkiw  the  security' 
procetlurcs  but  also  understand  the  a’ason  for 
having  a  security  policy  and  embrace  its  goals. 

"Compliance  is  necessary,  but  it  s  not  suf¬ 
ficient."’  says  Malcolm  Harkins,  vice  president 
and  chief  information  security  officer  at  Intel. 

Harkins  goal  is  to  get  employees  to  go  beyond 
compliance  toward  full  commitment  it>  pro¬ 
tecting  the  compatjy's  information.  "If  they're 
committexi  to  doing  the  right  thittg  and  pro- 
tc*cting  the  company,  and  if  they're  provided 
with  the  right  information,  jtlienj  they'll  make 
reasonable  risk  decisions." 

To  be  sure.  employc*es  don't  play  a  rxjle  in 
every  type  of  corporate  security  breach  (sc*e 
chart).  But  user  behavior  ainl  noncornphanco  *< 

are  implicated  in  many,  including  mobile  * 

malware  attacks,  social  netwt)rk  scliemes  and 
advanccxl  target  attacks.  In  tlie  face  of  such 
an  onslaught,  a  wall  p)ster  of  secuf  ity  tips 
hanging  in  the  break  rcxmi  is  useless,  says  julie 
Peeler,  foundation  director  at  the  International 
Information  Systems  Security  Certification  Consortium  —  alsf» 
known  as  (ISC)-  —  a  global,  nonprofit  organization  that  educates 
and  certifies  information  security  professionals. 

Managers  need  to  ensure  that  employees  understand  the  seal- 
rity  posture  of  the  company  from  day  one.  Peeler  says.  Employ¬ 
ees  must  be  willing  to  sign  confidenrialit)-  agreements,  attend 
training  and  practice  ongoing  vigilance.  "Sc»curity  training  is  not 
a  one-time  event.  It  has  to  be  integrated  thnmglioiit  the  entire 
organization,  and  it  has  to  come  from  tlie  top."  she  says. 

Here's  a  Irxik  at  five  best  practices  for  making  informal iim 
security  a  corporatewkle  respcmsibility. 

IPut  Threats  Into  Context 

People  don't  internalize  security  best  practice's  by 
simply  being  told  w  hat  to  do  or  by  being  scared  into 
compliance.  Peeler  says.  And  Harkins  agrees:  "You 
don’t  want  to  spin  information  security  compliance  as 
fear,"  he  says.  "Fear  is  like  junk  kxKl  —  it  can  sustain 
you  for  a  bit,  but  in  the  long  run  it's  not  healthy." 

Instead,  both  experts  say,  employees  am  more  likely  to  lx- 
motivated  into  compliance  if  security  managers  can  put  risk  into  a 
context  that  relates  to  them  dirc*ctly.  Most  employc'cs  know  that  a 
security  breach  affects  not  just  data,  but  also  the  comjTany  s  brand 
and  reputation.  But  Harkins  notes  that  empk)yc*es  in  some  busi¬ 
ness  units  might  m>t  fully  understand  that  they  could  play  a  role  in 
a  breach  just  by  doing  what  they  consider  business  as  usual. 

A  marketing  team,  for  in.s1ance,  might  want  to  launch  a  ix‘w 
interactive  website  ahead  if  its  amipelitors.  he  explains.  The 
website’s  content  might  sc'cm  harmless  if.  for  example,  it  dtx-sn’i 
include  intellectual  property  —  |u.st  a  few  interactive  screens  and 
videos.  But  what  if  a  third-party  provider  that  helpc*d  develop  ilk- 
site  left  vulnerabilities  that  allow  a  hacker  to  implant  malware  In 


Compliance  [with 
the  company's 
security  policy]  is 
necessary,  but  it's 
not  sufficient. 
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Real-world  i*xaniples  <an  also  drive  ilx* 
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2  Go  Phishing,  Internally 

.AtKitlki  etfetiive  let  hniejne  i-  lo 
launch  siiMiilait-d  [iliisitittg  m  .ll^^. 
TIteii  siv  IwAv  ntai^  em|ijove(‘s  lake 
ilk’  Uth.  and  offer  .hIv  k  e  on  .iviMtling 
similar  real-worki  scaiii'^. 

Royal  Philips  EkitHHiics  itxenllv  laniiihed 
•  a  pilm  piogram  f)f  contnilled  |>liis)iiiii;  .tti.x  k>. 

savs  Nick  Mankovich,  t  liief  mformation 
seenritv  officer.  Working  w  ith  a  prolessional 
I  phisiiiiig  partner,  whom  Mankovich  declined  to  riaim'.  Pfiiltps 

!o  a  website  and  then  enter  their  jMssword  and  nsemanie.  W  hen 
an  employee  clicks  on  the  link,  a  message  |x>ps  up  explaining  liis 


TOP  10  THREAT  AaiONS  USED 

IN  ENTERPRISE  ATTACKS _ 

IklMtlVMt  1  PCTXefU^MWmi 

Stolen  login  credentials 

30% 

Backdoor  malware 

18% 

Backdoor  or  command  and  control  channel  hacking  17% 

Physical  tampering 

17% 

Keylogger/form-grabber/spvware 

13% 

Pretexting  (classic  social  engineering) 

12% 

Brule  force  and  dictionary  attacks 

8% 

SOL  injection  exploits 

8% 

Phishing  (or  any  type  of  -ishing") 

8% 

Command  and  control  malware 

8% 
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error  and  offering  tips  to  avoid  being  scammed  in  the  future. 

“It’s  not  about  embarrassing  or  surveilling  anyone.  It’s  really 
about  giving  material  that  means  something  at  the  moment  when 
they  click  on  the  Iphonyl  link."  Mankovich  says. 

Depending  on  the  exact  nature  of  the  attack,  tips  might 
include  questions  like:  Did  the  email  come  from  a  trusted 
source?  Was  there  something  misspelled  or  unusual  about  the 
link?  Did  you  remember  to  hover  the  mouse  over  the  link  and 
check  the  bottom  of  the  screen  to  see  if  the  actual  target  URL 
matched  the  one  in  the  body  of  the  message? 

So  far.  Philips  has  conducted  three  phishing  experiments  in¬ 
volving  250  employees  each;  eventually,  Mankovich  hopes  to  test 
all  of  the  company’s  90,000  email-connected  employees  world¬ 
wide.  Future  tests  will  be  stealthier  and  more  intricate,  he  says. 

“At  the  end  of  each  pilot,  we  talk  to  a  few  of  the  users  to  see 
what  they  felt  about  the  experience  —  both  those  who  fell  for  the 
phishing  and  those  who  did  not,"  Mankovich  says.  “We  (typi- 
callyl  have  a  very  small  percentage  of  people  who  did  the  bad 
behavior,  and  those  people  do  get  the  message." 

3  Protect  to  Enable 

In  light  of  the  increasingly  virulent  cyberthreats  out 
in  the  wild,  IT  leaders  struggle  to  protect  the  oiganiza- 
tion  while  giving  business  units  the  freedom  to  choose 
their  own  apps,  launch  their  own  online  initiatives 
and  adopt  new  devices.  But  “the  more  drag  you  put 
on  information  flow,  the  slower  the  business  velocity,  which  also 
creates  strategic  risk  issues,”  Harkins  says. 

That's  why  Intel  adopted  the  mantra  "protect  to  enable"  three 
years  ago.  Rather  than  focusing  primarily  on  locking  down 
assets,  the  information  security  group  aims  to  enable  business 
goals  “while  applying  a  reasonable  level  of  protection,”  Harkins 
says.  To  do  this.  IT  needs  three  things:  an  adequate  level  of 
understanding  of  the  business  side’s  situation  and  needs,  input 
from  both  technical  and  business  professionals  on  the  risks  and 
rewards  of  a  given  security  decision,  and  a  clear  channel  of  com¬ 
munication  among  all  levels  and  units  of  the  business. 

In  2009,  Intel’s  IT  department  partnered  with  the  company’s 
legal  and  human  resources  groups  to  deff  ne  security  and  usage 
policies  for  a  new  bring-your-own-device  program.  The  company 
began  allowing  access  to  corporate  email  and  calendars  from 
employee-owned  smartphones  in  lanuary  of  2010,  Harkins  says. 
The  initiative  has  been  successful  in  keeping  corporate  data  safe 
while  allowing  employees  to  use  their  own  devices  for  work.  And 
as  new  devices  come  on  board,  the  company  continues  to  define 
new  security  and  use  policies. 

4  Share  Your  Company’s  Hack  History 

Although  controversial,  sharing  —  in  confidence,  of 
course  —  the  number  and  nature  of  attempted  hacks 
on  your  company’s  systems  can  be  a  strong  motiva¬ 
tor  toward  security  compliance.  Peeler  says.  “People 
don’t  really  understand  how  often  a  company’s  own 
systems  are  under  attack,”  she  points  out. 

Harkins  agrees.  Security  leaders,  he  says,  “have  got  to  show 
data,  and  relate  it  to  the  business  goals"  and  then  they  have  to 
show  how  progress  toward  achieving  those  goals  will  be  affected  if 
ongoing  incidents  are  not  addressed.  “The  more  your  predictions 
start  to  come  true,"  he  adds,  "(the  more]  you’re  demonstrating  that 


INSURANa  PROVIDER  Endurance  Spedaity  HoM- 
biRs  tries  to  establislipollclcs  that  donTllnitt 
users  from  performinc  their  lobs,  says  CIO  Torn 
Terry.  “There's  generally  a  good  reason  why  they’re 
asking  for  a  particular  software,  tool  or  device.  We  at¬ 
tempt  to  understand  the  probicfn  they’re  trying  to  solve  and 
give  them  tools  to  address  their  needs  in  a  secure  manner." 

For  instance,  many  business  units  needed  USB  devices 
to  transfer  data,  but  the  IT  organization  knew  that  USB 
devices  can  be  a  major  contributor  to  data  loss  if  they're 
not  managed  properly.  So  the  Endurance  IT  team  said 
"yes,  but ..."  by  distributing  the  devices  but  also  Institut¬ 
ing  -  and  explaining  -  a  policy  mandating  that  the  devices 
had  to  be  password-protected  and  encrypted. . 

"When  the  business  sees  you  working  with  them  in  a  col¬ 
laborative  fashion,  then  you  can  move  the  dial  forward"  in 
terms  of  a  shared  corporate  response  to  security,  says  Terry. 


you  know  what  you’re  doing  and  that  you’re  not  trying  to  impede 
the  business  —  you’re  trying  to  help  the  business." 

Intel  has  found  ways  to  put  breach  data  to  good  use  wKhout 
sharing  too  much  confidential  information.  For  instance,  Harkins 
says,  "we  had  an  employee  who  stole  intellectual  property  from  us 
a  few  years  ago  and  was  convicted  earlier  this  year.  We  posted  to 
all  employees  the  story  of  what  happened,  how  we  found  out,  and 
reminded  everyone  of  the  expectations  we  have  of  them." 

Intel  also  posts  its  lost  or  stolen  laptop  rates  and  shares  mis¬ 
takes  made  ^  employees,  such  as  posting  information  to  a  social 
site,  and  describes  the  risk  that  created  for  the  company.  “But  we 
don't  share  who  did  it  or  other  details  that  would  embarrass  or 
create  issues  for  the  employee,”  Harkins  clarifies. 

Others  have  mixed  fwlings  about  such  tactics.  Mankovich  says 
sharing  information  about  breaches  “bears  consideration,”  but  he 
worries  that  any  shared  information  could  jump  the  fence  to  the 
outside  world.  “My  first  reaction  is  that,  with  124,000  employees 
in  60  countries,  we  couldn’t  avoid  it  going  public,"  Mankovich 
says.  “We  must  consider  the  downside  of  providing  the  bad  guys 
with  attack  intelligence.  That  in  itself  mi^t  increase  risk." 

Ultimately,  convincing  employees  to  remain  vigilant  is  a  job 
shared  by  both  IT  and  the  business.  "We  really  have  to  under¬ 
stand  how  the  workforce  is  changing,  how  are  we  changing  the 
workforce,  and  how  the  expectations  of  people  who  use  our 
products  or  partner  with  us  are  changing,”  Mankovich  sums  up. 
“The  job  is  endless,  but  it’s  exciting."  • 

Collett  is  a  Computerworld  contributing  writer.  You  con  contact 
her  at  strollett@conicast.nrt. 
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Security  Lab  is  a  Promising  Step 


r  rs  A  6REAT  THING  whi 

rity  manager  doesn’t  ha 
into  battle  mode  every  I 

ler  departments  show  signs  that 
n’t  putting  security  last,  I  can 

those  cases,  I  want  to  have  input. 

For  the  most  part,  I  was  happy  when 
the  R&D  department  came  to  me  last 

software  security  test  lab.  The  R&D  te 
has  been  charged  with  enhancing  the 
security  of  the  software 
portion  of  our  products, 
and  one  of  their  require- 


they  can  run  hacking 
and  assessment  tools  a 
software.  That  will  free  them  up  to 
conduct  such  activity  whenever  they 
want,  without  notifying  anyone.  When 
my  department  conducts  security  as- 

testing  against 
our  corporate  applications,  we  schedule 
the  activity  at  a  time  that  minimizes  the 
impact,  and  we  let  everyone  know. 

Before  the  architecture  team  went  to 
work  designing  the  lab,  I  created  a  set 
of  security  requirements.  The  6rst  and 
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error  and  offering  ti|K  to  amid  being  siamnicd  in  llie  future. 

■‘It's  lUM  about  enibarra.ssiiig  or  surveilling  anyone.  It's  really 
about  giving  material  that  means  .voiiiething  at  the  moiimit  «beu 
they  eittkontlR-l()liony|linlt."Manliosichsays. 

Depending  on  the  exact  nature  of  the  attack,  tips  might 
IIK  hide  questions  like:  Did  the  email  come  from  a  trusteil 
vHitce?  Was  there  something  niiss[>elled  or  unusual  about  the 
hnk:>  Did  you  remember  to  hover  the  mouse  over  the  link  and 
clR-ck  tlRt  bottom  of  the  screen  to  see  if  the  actual  target  URL 
matched  the  one  in  the  Ixidy  of  iIr'  nR’ssage? 

So  lar.  Philips  has  conducleil  three  phishing  experiiiRmls  in¬ 
volving  a5oeinpkiyees  each:  eventually,  Maiiktivich  hopes  to  lest 
all  of  tile  com|iany  s  90.000  email-connected  eitiploycR-s  world- 
w  ide.  Future  te.sts  will  be  stealthier  and  more  intricate,  he  savs. 

“At  the  end  of  each  pilot,  we  talk  to  a  lew  of  the  users  to  see 
what  they  fell  about  the  experience  —  both  those  who  fell  for  the 
phishing  and  those  who  did  not.  "  Mankovich  say  s.  "We  |ty  pi- 
callyl  have  a  very  small  percentage  of  people  w  ho  did  the  bad 
behavior,  and  those  people  do  get  the  message." 

3  Protect  to  Enable 

In  light  of  the  increasingly  virulent  cy  bcrihreats  out 
in  the  wild.  IT  leaders  struggle  to  priiieci  the  organirj- 
lion  while  giving  business  units  the  freedom  to  choose 
their  own  apps.  launch  their  own  online  initiatives 
and  adopt  new  devices.  But  "the  mure  drag  vou  pul 
on  information  How.  ilie  skiwer  the  business  velocity,  which  also 
creates  strategic  risk  issues."  Harkins  says. 

That's  why  Intel  adopted  the  mantra  "protect  to  enable"  thrcH- 
years  ago.  Rather  than  lixrusing  primarily  on  ItRkiiig  dow  11 
assets,  ilie  information  sectiriiv  group  aims  to  enable  business 
goals  "w  hile  apply  ing  a  reasonable  level  of  protection.''  Harkins 
says.  To  do  this.  IT  needs  three  things;  an  adequate  level  of 

from  both  technical  and  business  professionals  on  the  risks  and 
rew  ards  of  a  given  security  decision,  and  a  clear  channel  of  com¬ 
munication  ailHing  all  levels  and  units  of  the  business. 

In  aooq.  Intel's  IT  department  partnered  w  iih  the  company's 
legal  and  human  resiRirces  groups  to  define  security  and  usage 
policies  for  a  new  bring-your  own-devicc  program.  Tlie  company 
began  alkiwing  access  In  ojrporate  email  and  calendars  from 
enipkiyve-ovvned  smartphones  in  January  of  2010.  Harkins  says. 
The  initiative  ha,s  been  successful  in  keeping  corporate  data  safe 
w  hile  allow  ing  employees  to  use  their  own  dev  ices  for  work.  And 
as  new  dev  ices  come  on  board,  the  company  continues  to  define 

4  Share  Your  Company’s  Hack  History 

.Although  controversial,  sharing  —  in  confideiwe.  of 
KHirse  —  tht‘  number  and  nature  of  attempted  hacks 
on  your  company's  systems  cati  be  a  strong  mtrtiva* 
tor  toward  sec  urity  compliance.  Peeler  says.  “People 
don't  really  understand  ho\%  often  a  company's  own 
systems  are  under  attack."  she  points  out. 

Harkins  agrees.  Security  leaders,  he  say  s.  "have  got  to  show 
data,  and  rebate  it  to  tlie  business  goals"  and  then  they  have  to 
sIkjvv  h«)w  progress  toward  achiev  ing  those  goals  will  be  affected  if 
ongoing  incidents  are  not  addressed.  "The  nmre  your  predictions 
start  to  coiiK*  true."  he  adds,  "[the  more)  you're  demonstrating  that 


A  nttle  flexibility  goes  a  long  way  toward 
getting  employe  buy  in  on  security. 


NSURANCE  PROVIDER  Endurance  Specialty  Hold¬ 
ings  tries  to  esublish  policies  that  don’t  limit 
users  from  porforming  their  jobs,  says  ao  Tom 
Terry.  "There's  generally  a  good  reason  why  they're 
asking  for  a  particular  software,  tool  or  device.  We  at¬ 
tempt  to  understand  the  problem  they're  trying  to  solve  and 
give  them  tools  to  address  their  needs  in  a  secure  manner." 

For  instance,  many  business  units  needed  USB  devices 
to  transfer  data,  but  the  IT  organitation  knew  that  USB 
devices  can  be  a  major  contributor  to  data  loss  if  they're 
not  managed  property.  So  the  Endurance  IT  team  said 
“yes.  but ..."  by  distributing  the  devices  but  also  institut¬ 
ing  -  and  explaining  -  a  policy  mandating  that  the  devices 
had  to  be  password-protected  and  encrypted. 

"When  the  business  sees  you  working  with  them  in  a  col¬ 
laborative  fashion,  then  you  can  move  the  dial  forward"  in 
terms  of  a  shared  corporate  response  to  security,  says  Terry. 


you  know  what  you're  ooing  and  that  you're  not  try  ing  to  impede 
tiR-  business  —  vxHi're  trying  to  help  the  business." 

sharing  tixi  iiiiich  confidential  information.  For  instance.  Harkins 
says,  “we  had  an  empkiyee  who  stole  intellectual  property  from  us 
a  few  years  ago  and  was  convicted  earlier  this  year.  We  posted  to 
ail  employees  the  story  of  what  happened,  how  we  found  out,  and 
reminded  ewry one  of  the  expectations  we  have  of  them. " 

Intel  also  posts  its  lost  or  stolen  laptop  rates  and  shares  mis¬ 
takes  made  by  employees,  such  as  posting  information  to  a  social 
site,  and  describes  tlie  risk  that  created  for  the  company.  "But  we 
don't  share  who  did  it  or  other  details  that  would  embarrass  or 
create  issues  for  the  employee. "  Harkins  clarifies. 

Others  have  mixed  feelings  about  such  tactics.  Mankovich  says 
sharing  information  about  breaches  "bears  consideration,”  but  he 
worries  that  any  shared  information  could  jump  the  fence  to  the 
outside  world.  "My  first  reaction  is  tliat.  with  124.000  employees 
in  60  countries,  we  couldn't  avoid  it  going  public, "  Mankovich 
says.  "We  must  consider  the  downside  of  providing  the  bad  guys 
with  attack  intelligence.  That  jn  itself  might  increase  risk." 

Ultimately,  convincing  employees  to  remain  vigilant  is  a  job 
shared  by  both  IT  and  the  business.  "We  really  have  to  under¬ 
stand  how  the  workforce  is  changing,  how  arc  we  changing  the 
workforce,  and  how  the  expectations  of  people  who  use  our 
products  or  partner  with  us  are  changing, "  Mankovich  sums  up. 
■‘The  job  is  endless,  but  it's  exciting."  ♦ 

her  at  srcolietl@ci)int-(ist.net. 
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MATHIAS  THURMAN 

Security  Lab  Is  a  Promising  Step 


IT'S  A  GREAT  THING  \s  hon  J  secu¬ 
rity  manager  dot^sn't  have  logo 
into  battle  mtxlc  every  time  a  new 
corporate  initiative  emerges.  When 
(«lter departments  s1k)W  sign.s  that 
theyaTeiU  putting  security  last.  I  can 
relax  a  bit.  But  just  a  little  bit.  Even  in 
those  cases,  1  want  to  have  input. 

For  the  most  part,  I  was  happy  when 
the  R&D  department  came  to  me  la.st 
week  to  discuss  their  plan  to  civate  a 
software  security  test  lab.  The  R&D  team 
has  been  charged  with  enhancing  the 

portion  of  our  pnxjucts, 

and  one  of  their  require-  BBuB 


they  tan  run  hacking 
and  assessment  ttxds  and  code-scanning 
software.  That  will  free  them  up  to 
conduct  such  activity  whenever  they 
want,  without  notifying  anyone.  Wheti 
my  department  conducts  security  as¬ 
sessments  or  penetration  tesiing  against  ' 
our  corporate  applications,  w’e  schedule 
the  activity  at  a  time  titat  minimizes  the 
impact,  and  we  let  everyone  know. 

Before  the  architecture  team  went  to 
work  designing  the  lab,  I  created  a  .set 
of  security  requirements.  The  first  and 


segmented  from  our  production  ttetwork. 
Other  recjuiremenis  included  a  .separate 
firc'wall  protecting  the  lab  from  iIk* 
corporate  network  and  extremelv  liinrietr 
access  to  the  public  Internoi.  1  dem't  want 
any  inquisitive  engineers  running  scans 
against  rc*s<Mjrces  on  the  Internet  —  that 
CTudd  get  us  into  trouble.  Also,  access  t<j 
the  lab  must  be  controlled  and  logged. 

The  lab  will  be*  scgnK'iitc'd  into  several 
virtual  LAN.s.  with  firewall  rule's  in  place 
to  prott’ct  one  VLAN  from  anotiK'r.  For 


running  assessme*nts. 
penet  te’st  i  ng, 
Cfxleseanning  and 

otiu'r  activity.  The  products  to  k*  tested 
will  reside  on  another  VLAN,  while  am 
source  e'txle  will  reside  on  yet  another. 
Most  of  tlie  resources  will  be*  installed 
on  virtual  machines,  se)  the  servers  can 
be  quickly  taken  dowm  and  redeployed  if 
necessary.  We  will  set  up  a  lustion  host, 
with  access  to  the  lab  network  restricted 
to  those  who  have  access  to  the  lab  itself. 

At  least  at  first,  we  II  stfxk  the  lab 
w  ith  some  fairly  common  tools,  and  tlum 
upgrade  as  the  engineers  get  properly 


Vw  Action  plan:  lt'$  good 
rf  news,  and  guidance  from 
the  security  manager  will 
ensure  that  iTs  done  right. 


trained  on  how  to  utiidiat  asM*sM]ieiits. 
Otte  w  ill  lx*  Nessus.  a  fairly  eas\-li;-use 

tions  and  also  has  an  e\teiisi\e  menu  of 
plug-itis.  Including  a  \ark*ty  of  appika- 
lion  vulnerability  cht*iks.  .AiKtllx'r  uhiI 
will  lx*  Metasploii.  which  is  one  of  my  fa 
vorites.  It  can  lx*  very  Ix-lpfiil  m  nininng 
attacks  aganiM  potentially  vulnerabh- 

SQL  itijec  tion  vultR*rabilit\.  Metasploit 
can  attempt  st*\eral  .SQL  attacks  tliai 
will  validate  the  vulnerahilitv  —  vem 
don’t  haw  to  be*  an  ex|x*rt  in  SQL.  Fhat  s 
definitely  handv.  since  SQL  injedion 
h.Ls  bet*n  used  in  many  recent  atta<  ks 
comproniisiiig  user  passwords. 

.•\»K»tl»er  my  favorites  is  BurpStnte.  a 
set  of  jppikation  asstssmetit  ntilitk*s  that 
let  ytxj  do  things  like  intercept  trartic 
between  tiu*  client  bn»s\  ser  .in<i  Wei)  ap¬ 
plication.  For  example,  il  an  a()plkations 
passwtxd-resc-t  k)gic  Isn't  written  prop- 


well  as  a  tool  to  run  static  ccKie  analysis. 
That  tool  w  ill  eventually  lx*  incoi  [xirated 
intotxir  software  di*selo))nu*nt  life  cvcie 
and  will  Ix'ein^dmcxJ  tojsves-.  the  sanitv 


tiHils  properly,  and  I  want  tlieiii  to  kani 
to  think  like  a  hacker,  lit  Ix'lp.  I'll  find 
a  trustc’d  third  parte  to  provide  iraiiiitig 

and  ^K'lietiaiion  tesiing.  Slowly  but 
surely,  all  of  this  w  ill  get  all  ol  our  en¬ 
gineers  to  thinking  alxMit  siviiriiy  eaiK 
and  often  in  the  dc*\elopnx*Mt  pnxess.  • 
This  us'ik  s  K'urmd  is  u*»  nf<-n  /»v  u  tvaf 


The  lab  will  be  segmented  into  several  virtual 
LANs,  with  firewalls  to  protect  them. 
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OPINION 


iPad  vs.  PC:  Sometimes  the 
Accepted  Wisdom  Is  Right 


Just  because 
PC  makers  are 
innovating 
doesn't  mean 
people  will 
buy  the  new 
hardware. 


Preston  Gralla  IS  a 

Compuierworldxom 
contributing  editor 
and  the  author  of 
more  than  35  books, 
including  How  the 
internetworks 
(Oue.2005). 


WILL  INNOVATIVE  PCS  put  an  end  to  the  iPad  era? 

It  has  become  accepted  wisdom  among  IT  professionals  and 
industry  observers  that  tablets  have  eaten  heavily  into  PC  sales 
and  will  continue  to  do  so,  bringing  the  PC  era  to  a  close. 


of  course,  there  is  always  a  naysayer,  and  at 
least  one  analyst  is  challenging  the  accepted 
wisdom.  Citibank’s  Glen  Yeung  argues  that  PCs 
will  reclaim  the  innovation  crown  from  Apple’s 
iPad.  In  a  recent  research  note  to  clients,  Yeung 
says  that  Apple’s  plans  for  upgrading  the  next 
generation  of  iPads  calls  for  only  the  basics:  an 
improved  screen,  a  smaller  and  lighter  footprint 
and  a  new  processor.  His  conclusion:  “iPad  in¬ 
novation  of  this  nature  is  insufficient  to  reveise 
share  loss.  ” 

For  him,  true  innovation  will  come  in  the 
Windows  world,  where  a  new  generation  of 
"touch-based,  ultrathin,  all-day  notebooks  at  im¬ 
proving  price  points”  is  poised  to  turn  people  back 
to  the  possibilities  of  a  PC. 

Intel’s  new  Haswell  chip  will  make  this  pos¬ 
sible,  Yeung  says.  1  won’t  get  into  all  the  nitty- 
gritty  specs  of  the  Haswell  chip.  But  here’s  what’s 
important:  The  chip,  expected  to  be  launched  in 
June,  is  designed  to  dehver  high  performance  with 
very  low  power  consumption.  In  addition,  Yeung 
claims  that  Intel  will  require  all  Haswell-based 
uhrabooks  to  be  touch-enabled,  adding  that  the 
company  “envisions  price  points  as  low  as  $599.” 

But  the  Haswell  chip  isn’t  just  for  ultrabooks. 
You  can  also  expect  Windows  8  tablets,  as  well 
as  hybrid  devices  —  thin,  light  machines  that  do 
dual  duty  as  notehooks  and  tablets.  It’s  become  a 
truism  that  tablets  ate  for  consuming  content  and 
notebooks  for  creating  it.  These  hybrids  will  be 
able  to  change  form  and  do  both. 

There’s  some  evidence  that  Yeung  might  be  on 
to  something.  A  recent  Forrester  report.  “2013 


Mobile  Workforce  Adoption  Trends,"  found  that 
for  their  next  tablet,  information  workers  favor 
Windows  over  the  iPad,  with  32%  saying  they  want 
a  Windows  tablet,  26%  opting  for  an  Apple  tablet, 
and  12%  choosing  an  Android  device.  In  total,  the 
report  claims,  200  million  information  workers 
prefer  Windows  tablets  over  competing  devices. 

It’s  also  clear  that  hardware  makers  ate  experi¬ 
menting  far  more  with  Windows  devices  than 
Apple  is  with  the  iPad.  With  Apple’s  current  plans, 
the  iPad  you’re  using  today  is  largely  the  same  as 
the  next  iPad  you’ll  buy,  except  the  new  one  will 
be  faster  and  lighter  and  will  have  a  better  screen. 
Windows  8,  though,  has  led  to  an  explosion  in 
the  number  of  form  factors  and  ways  to  interact 
with  the  operating  system.  Notable  new  options 
include  touch-enabled  ultrabooks  and  a  variety 
of  tablet-ultrabook  combos.  There’s  even  talk  of 
a  Windows  “phablet,"  a  Windows  Phone  crossed 
with  a  Windows  tablet. 

That  all  btxles  well  for  Windows.  But  I’m 
not  yet  convinced  that  Yeung  is  tight.  Sales  of 
Windows  8  devices  remain  sluggish,  and  iPad 
sales  show  no  sign  of  slowing  down.  Moreoter,  a 
Gartner  report  says  that  the  popularity  of  iPads 
and  iPhones  is  forcing  enterprises  to  su[^tt  Macs 
as  well  as  PCs,  and  that  Macs  will  be  as  commonly 
accepted  in  enterprises  as  PCs  by  20x4. 

In  the  hardware  vrorld,  there  is  no  “build  it 
and  they  will  come”  imperative.  Just  because 
PC  makers  ate  innovating  doesn’t  mean  people 
will  buy  the  new  hardware.  So  until  I  see  PC  and 
Windows  tablet  sales  leap  and  iPad  sales  stagnate, 

1  won’t  be  a  believer  in  Yeung’s  tlieory.  ♦ 
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can’t  hear  the  music  that  al¬ 
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In  the  past.  That  was  true. 


the  invitation  and 
found  that  the 


And  because  he 
I  was  logged  in.  the 
meeting  had  begun, 
so  no  music  was  go¬ 
ing  to  play." 


fish  is  IT  director,  the  topic  of  students' 
lost  emails  comes  up  at  a  staff  meet¬ 
ing.  "Before  I  could  say  anything,  a 
midlevel,  non-tech  manager  decided 
to  educate  everyone  on  how  email 
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OVING  TO  the  cloud  may  reduce  infrastructure  costs  and  head¬ 
aches,  hut  clouds  have  their  shortcomings.  When  they  rain,  mil¬ 
lions  can  quickly  become  drenched.  In  the  past  year,  Amazon, 
Microsoft,  Google  and  other  providers  experienced  problems. 


from  minor  disruptions  to  major  outages.  A  June 
2012  headline  captured  the  fallout:  “Modern  life 
halted  as  Netflix,  Pinterest,  Instagram  go  down.” 

The  service  interruptions  experienced  by  those 
companies  and  others  disappointed  countless  con¬ 
sumers,  but  it  was  worse  than  a  disappointment 
for  the  businesses  themselves.  They  had  come 
to  depend  heavily  on  cloud  reliability;  when  the 
cloud  services  th^  had  put  their  trust  in  failed,  it 
was  as  if  they  had  ceased  to  exist.  All  the  outages 
were  temporary,  of  course,  but  revenues  were  lost 
during  the  downtime,  and  afterwards  customers 
wrote  blog  posts  expressing  everything  from  dis¬ 
appointment  to  anger,  with  some  proclaiming  that 
they  would  take  their  business  elsewhere. 

Organixations  that  depend  on  cloud  services 
need  to  manage  four  areas  to  help  ensure  that 
their  dependence  isn’t  a  liability: 

■  Providers.  Ideally,  a  cloud  provider  should 
be  managed,  monitored  and  measured  like  other 
critical  IT  suppliers.  It  is  naive  to  take  an  “out  of 
sight,  out  of  mind”  approach  with  cloud  provid¬ 
ers.  Begin  by  setting  clear  performance  goals  with 
well-defined  metrics.  Assign  staff  to  monitor  per¬ 
formance  and  manage  the  supplier  relationship. 

■  Resiliency.  All  cloud  providers  suffer  periodic 
service  degradation  and  occasional  full  outages. 
Unfortunately,  restoration  of  normal  service  may 
not  be  fast  enough  to  meet  your  business  needs. 
On  its  blog,  Netflix  says,  “It  is  still  early  days  for 
cloud  innovation,  and  there  is  certainly  mote  to 
do  in  terms  of  building  resiliency  in  the  cloud.” 
The  blog  describes  the  steps  Netflix  is  taking  to 
improve  resiliency  within  Amazon's  cloud. 

Your  enterprise  architecture  must  also  be 
designed  for  resiliency,  lypical  approaches  involve 


t  single 


provider’s  cloud.  The  truly  paranoid 
spread  their  assets  across  multiple  cloud  providers. 

■  Executive  expecUtions.  IT  professionals  tend 
to  be  realistic  about  the  reliability  that  is  possible 
in  the  cloud,  but  a  lot  of  executives  on  the  business 
side  expect  well-known  cloud  providers  to  offer 
flawless  service.  They  want  “dial-tone”  reliability, 
like  the  service  provided  by  the  old  Bell  system. 
But  that’s  a  standard  that  cloud  suppliers  can’t 
meet  now  and  are  unlikely  to  fulfill  anytime  soon. 
(And  even  Ma  Bell  experienced  occasional  service 
problems.)  And  even  if  cloud  vendors  do  one  day 
offer  dial-tone  reliability,  it  would  likely  carry  a 
premium  price  tag  and  would  be  cost-effective 
only  for  high-end  products. 

■  Customer  relatioiis.  Customers  may  become 
angry  when  their  favorite  services  or  phone 
apps  are  slow  or  temporarily  unavailable.  Your 
customer  service  staff  s  response  must  be  sym¬ 
pathetic,  informative  and  timely.  When  outages 
occur  or  service  levels  are  significantly  hampered, 
acknowledge  the  issue,  apologize  profusely,  post 
status  updates  regularly,  and  share  preventative 
measures  as  they  are  developed. 

While  the  cloud  oflers  a  valuable  ahemative  to 
extensive  and  expensive  infrastructure,  it’s  not  yet 
perfect.  When  Ti;  comes  under  attack  for  flawed 
cloud  service,  remind  executives  what  prompted 
the  move  to  the  cloud:  the  difference  between 
costs  incurred  with  a  cloud  provider  and  those 
required  to  build  and  operate  an  enterprise  infra¬ 

structure.  Most  good  bargains  require  some  level 
of  trade-off,  and  clouds  are  no  exception.  ♦ 
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